A database (104) maintains one or more groups (106) of digital objects (202). A user (102) wishes to retrieve one or more digital objects (202) from the database (104), without the database (104) being able to determine which particular digital objects (202) have been retrieved. In addition, the database (104) should not allow the user (102) to retrieve any digital objects (202) to which the user (102) has not been granted access. The user (102) requests the groups (106) containing the digital objects (202) the user (102) wishes to download, but does not identify the digital objects (202) within each group (106) that the user (102) is interested in. Using a symmetric key cryptosystem, the database (104) generates a key (204) for and encrypts each digital object (202) in the requested group (106) into ciphertext (206), and additionally encrypts each key (204). The database (104) transmits the ciphertexts (206) and encrypted keys (208) to the user (102). The user (102) identifies the keys (208) associated with the digital objects (202) of interest, and further encrypts the keys (208), returning the changed keys (506) to the A database (104). The database (104) reverses its encryption of the keys (506), and transmits the partially decrypted keys (510) back to the user (102). The user (102) then applies the user's (102) own decryption algorithm to the keys (510), and then uses the decrypted keys (204) to decrypt the digital objects (202) of interest.
|
1. A method for selecting a digital object in a database, the method comprising:
generating a plurality of encryption keys, each encryption key associated with one of a plurality of digital objects stored in an electronic database;
encrypting the plurality of digital objects using the associated encryption keys;
encrypting the plurality of encryption keys by the database;
transmitting to a requester the plurality of encrypted digital objects and encryption keys;
receiving from the requester at least one of the encryption keys, wherein the received encryption key has been re-encrypted by the requester prior to transmission;
generating a partially decrypted encryption key at the database by decrypting the received encryption key; and
transmitting the partially decrypted encryption key to the requester.
9. A system for selecting a digital object in a database, the system comprising a processor for:
generating a plurality of encryption keys, each encryption key associated with one of a plurality of digital objects stored in an electronic database;
encrypting the plurality of digital objects using the associated encryption keys;
encrypting the plurality of encryption keys;
transmitting to a requester the plurality of encrypted digital object and encryption keys;
receiving from the requester at least one of the encryption keys, wherein the received encryption key has been re-encrypted by the requester prior to transmission;
generating a partially decrypted encryption key by decrypting the received encryption key using the first cryptography scheme; and
transmitting the partially decrypted encryption key to the requester.
5. A method for selecting a digital object in a database, the method comprising:
requesting a plurality of digital objects from an electronic database;
receiving from the database the requested plurality of digital objects, wherein each digital object has been encrypted using an associated encryption key;
receiving from the database plurality of keys associated with the plurality of digital objects wherein each key has been encrypted by the database;
selecting a ciphertext key from the plurality of received keys;
re-encrypting the selected ciphertext key;
transmitting the re-encrypted ciphertext key to the database;
receiving from the database the key wherein the key has been partially decrypted by the database;
decrypting the partially decrypted key using the second cryptography scheme to generate a decrypted key; and
decrypting the received digital object using the decrypted key.
13. A system for selecting a digital object in a database, the system comprising a processor for:
requesting a plurality of digital objects from an electronic database;
receiving from the database the requested plurality of digital objects, wherein each digital object has been encrypted using an associated encryption key;
receiving from the database plurality of keys associated with the plurality of digital objects wherein each key has been encrypted by the database;
selecting a ciphertext key from the plurality of received keys;
re-encrypting the selected ciphertext key;
transmitting the re-encrypted ciphertext key to the database;
receiving from the database the key wherein the key has been partially decrypted by the database;
decrypting the partially decrypted key using the second cryptography scheme to generate a decrypted key; and
decrypting the received digital object using the decrypted key.
17. A machine-readable medium having program code stored thereon which, when executed by a machine, causes the machine to perform a method for selecting a digital object in a database, the method comprising:
generating a plurality of encryption keys, each encryption key associated with one of a plurality of digital objects stored in an electronic database;
encrypting the plurality of digital objects using the associated encryption keys;
encrypting the plurality of encryption keys by the database;
transmitting to a requester the plurality of encrypted digital objects and encryption keys;
receiving from the requester at least one of the encryption keys, wherein the received encryption key has been re-encrypted by the requester;
generating a partially decrypted encryption key at the database by decrypting the received encryption key; and
transmitting the partially decrypted encryption key to the requester.
22. A machine-readable medium having program code stored thereon which, when executed by a machine, causes the machine to perform a method for selecting a digital object in a database, the method comprising:
requesting a plurality of digital objects from an electronic database;
receiving from the database the requested plurality of digital objects, wherein each digital object has been encrypted using an associated encryption key;
receiving from the database plurality of keys associated with the plurality of digital objects wherein each key has been encrypted by the database;
selecting a ciphertext key from the plurality of received keys;
re-encrypting the selected ciphertext key;
transmitting the re-encrypted ciphertext key to the database;
receiving from the database the key wherein the key has been partially decrypted by the database;
decrypting the partially decrypted key using the second cryptography scheme to generate a decrypted key; and
decrypting the received digital object using the decrypted key.
2. The method of
3. The method of
4. The method of
6. The method of
7. The method of
8. The method of
10. The system of
11. The system of
12. The system of
14. The system of
15. The system of
16. The system of
18. The machine-readable medium of
19. The machine-readable medium of
20. The machine-readable medium of
21. The machine-readable medium of
23. The machine-readable medium of
24. The machine-readable medium of
|
The present invention relates generally to secure and private communications enabling retrieval of digital objects from a computerized database.
The World Wide Web (WWW) has evolved from a service focused on academic areas and offering scientific content into a medium for common users to access information of various origins. While surfing the Web, many users are not aware that a large number of organizations such as those in the marketing industry are gathering their private information. This information is supplemented when a user accesses a Web site, clicks a Web page, makes an electronic purchase, or downloads a file. From all the records and computerized analysis, the information collector can build a digital dossier about the users—what they do, where they go, what they read, what they buy, etc.
There has, therefore, been general recognition of the need for privacy protection on the Internet. One situation in which privacy is a large concern is when databases containing users' personal information are accessed. To illustrate, suppose there is a database that maintains groups of digital objects, and a user wishes to retrieve a subset of the digital objects. Two desirable constraints on database access are as follows:
One example that illustrates these concepts is the task of providing electronic newspaper services over the Internet. A database maintains a collection of digital news articles. Assuming that a subscriber request n articles, database security requires that the subscriber gets only n articles, while the user privacy requires that the database cannot determine which n specific articles are retrieved by the subscriber.
The problem of private information retrieval was reviewed by B. Chor, O. Goldreich, E. Kushilevaita, and M. Sudan, “Private Information Retrieval,” Proceedings of the 36th Annual Symposium on Foundations of Computer Science, pp, 41–50, 1995. The authors were connected with information-theoretical security and proposed solution using multiple databases. However, the security of this solution relies on the assumption that the multiple databases do not communicate with each other, which is not guaranteed to be the case, and is additionally outside of the user's control and ability to independently verify.
Private information retrieval schemes using a single database were later proposed in B. Chor and N. Gilboa, “Computational Private Information Retrieval,” Proceedings of the 29th Annual ACM Symposium on Theory of Computing, pp. 304–313, 1997, and E. Kushilevita and R. Ostrovsky, “Single-Database Computationally Private Information Retrieval, ” Proceeding of the 38th annual Symposium on Foundation of Computer Science, 1997. These solutions are concerned with security based on computational assumption theory, and in particular the difficulty of factoring large prime numbers, as is done in the well-known RSA encryption scheme. However, the computational costs of these solutions are prohibitively large due to their bit-by-bit processing approach. For example, the scheme in the Kushilevita and Ostrovsky reference requires a computational cost on the order of O(N) multiplication modulo a 1024-bit number just to retrieve 1 bit of information, where N is the number of bits of data maintained by the database.
The requirement of database security in the context of private information retrieval was studied in Y. Gertner, Y. Ishai, E. Kushilevita and T. Malkin, “Protecting Data Privacy in Private Information Retrieval Schemes,” Proceedings of the 30th ACM Annual Symposium on Theory of Computing, 1998.
All of the proposed solutions to the problem of private information retrieval described above employ the bit-by-bit processing approach. Therefore, they have only theoretical values, and are not feasible in practical applications, because of the time that would be required to solve each problem.
Therefore, what is needed is a way of allowing a user to achieve information retrieval from a database in an efficient manner while maintaining privacy.
In accordance with the present invention, there is provided a way to allow a user (102) to achieve private information retrieval from a database (104) in an efficient manner. The database (104) maintains one or more groups (106) of digital objects (202) available for users to access. A user (102) can retrieve a subset of digital objects (202) from a group (106) of digital objects (202) in the database (104) such that:
Objects (202) in the database (104) are stored in one or more different groups (106). The user (102) identifies some particular objects (202) of interest in the database (104), and additionally to which groups (106) those objects (202) belong. The user (102) then sends (302) a request to the database (104), specifying only the groups (106) containing the desired objects (202), but does not specifically identify the particular digital objects (202) desired. At his point, an electronic commerce transaction might take place, where the user (102) pays for access to a specified number of digital objects (202). The database (104) then encrypts (304) all digital objects (202) in each requested group (106) into ciphertext (206). In addition, a key (204) for each ciphertext (206) is encrypted (306). The database (104) then sends back (308) to the user (102) both the ciphertexts (206) and the associated encrypted keys (208).
At this point, the database (104) knows only that the user (102) desires one or more digital objects (202) from a particular group (106) of digital objects in the database (104), but is unable to determine which particular objects (202) are of interest.
The user identifies (310) the ciphertexts (206) of the desired digital objects (202), and their associated keys (208). Next, the user re-encrypts (312) the identified keys (208), and returns (314) the re-encrypted keys (506) to the database (104). The database decrypts (316) the keys (506) to the extent that it is able—i.e., the database (104) reverses the encryption it previously applied to those keys (506). However, the database (104) is unable to identify which digital objects (202) the keys (506) are associated with, because the keys (512) remain encrypted with the user's encryption scheme. The database (104) now sends (318) the keys (512) back to the user (102).
Once the user (102) receives the keys (512) back from the database (104), the next step is simply to decrypt (320) them using the user's own decryption scheme (604), thus revealing the unencrypted keys (204). Finally, the user (102) uses those keys (204) to decrypt (322) the appropriate digital object ciphertexts (206).
Since the database (104) is unable to determine which keys (204) it has decrypted, user (102) privacy is maintained. And, since the user (102) cannot gain access to any key (204) unless the database (104) first decrypts it, the user (102) will not be able to access any more objects (202) than are authorized. Thus, both constraints discussed above have been satisfied.
The present invention does not require multiple databases. Processing is digital object (202) oriented instead of bit oriented. User (102) privacy is guaranteed without any computational constraint and without additional constraints on the “honesty” of the database (104). This means that the user's interest in specific digital objects (202) is not disclosed. The security of the database (104) is based on the assumption of the intractability of computing discrete logarithms, which forms the basis of many existing digital signature schemes and the Diffie-Hellman key exchange protocol. See W. Diffie and M. Hellman, “New directions in cryptography,” IEEE Transactions on Information Theory, Vol. IT-22, No. 6, pp. 644–654, November 1976.
The present invention also provides a balance between user (102) privacy and communication cost. Communication cost can be reduced by decreasing the size of a digital object group (106), while a large digital object group (106) size gives better user (102) privacy protection.
These and other more detailed and specific objects and features of the present invention are more fully disclosed in the following specification, reference being had to the accompanying drawings, in which:
A cryptographic system, or cryptosystem, has an encryption key to convert plaintext into ciphertext and a decryption key to recover the plaintext from ciphertext. If the encryption key and the decryption key are identical, the cryptosystem is called a symmetric key cryptosystem. If the encryption key and the decryption key are different and it is computationally infeasible to determine the decryption key from the mathematically-related encryption key, the cryptosystem is called an asymmetric key cryptosystem, or a public key cryptosystem. For illustrative purposes, the preferred embodiments described here make reference to symmetric key cryptosystems for encryption and decryption. It will be apparent to those skilled in the art, however, that asymmetric key cryptosystems could also be used. See, for example, A. Menezes, P. Oorschot, and S. Vanstone, Handbook of Applied Cryptography, CRC Press, 1996, or C. Kaufman, R. Perlman, and M. Speciner, Network Security-Private Communication in A Public World, PTR Prentice Hall, Englewoor Cliffs, N.J., 1995.
For purposes of clarity, we use e(k, m) to denote encryption of a digital object m with key k in a symmetric key cryptosystem; and d(k, c) to denote the decryption of a ciphertext c with key k in a symmetric key cryptosystem.
The database 104 next transmits 308 the encrypted objects 206 and keys 208 (ci, si), i=1, 2, . . . , N to the user 102. Assuming that the user 102 intends to retrieve n, n<N, digital objects mi1, mi2, . . . , min 202 from the group 106, the user 102 identifies 310 the objects 206 and keys 208 desired, and generates 311 n random numbers wj, 0<wj<p−1, and then obtains 312 n re-encrypted keys Wj=sijwjmod p, j=1, 2, . . . , n. The user 102 sends 314 Wj, j=1, 2, . . . , n and optionally the required payment to the database 104. The database 104 computes 316 and sends 318 Uj=Wj1/r mod(p−1)mod p, j=1, 2, . . . , n, back to the user 102.
The user 102 computes 320 kij=Uj1/wj mod(p−1)mod p, j=1, 2, . . . , n, and then decrypts cij with kij using the symmetric key cryptosystem to recover digital objects mij=d(kij, cij), j=1, 2, . . . , n 202.
Similarly,
Then, as shown in
Focusing on the database 104 modules illustrated in
Security Considerations:
First, it can be easily seen from this description that the user 102 can obtain the desired digital objects m1j 202 by decrypting ciphertexts cij 206 with computes kij=Uj1/wj mod(p−1)mod p, j=1, 2, . . . , n. That is, if both the database 104 and user 102 follow the protocol, the user 102 gets the desired information. However, under no circumstances is the database 104 able to pinpoint which digital objects 202 are being retrieved by the user 102. In order for the database 104 to find out which digital object 202 the user 102 is interested in retrieving, the database 104 would need to figure out which sij 208 is being used to compute Wj=sijwjmod p 506 by the user 102. However, the only information available to the database 104 is Wj=sijwjmod p, 1, 2, . . . , n and sij, i=1, 2, . . . , N. Since wj's are randomly chosen and kept secret by the user 102, it is equally likely that all sij's 208 are being used in computing Wj=sijwjmod p, j=1, 2, . . . , n. Therefore, the user's privacy is satisfied without having to rely on any computational assumptions.
Next, we consider database 104 security. Without loss of generality, assume that the user 102 has paid and retrieved m1, m2, . . . , mj 202. The user 102 then tries to recover mj+1, which the user 102 is not authorized to access, without the database's 104 help. This problem is equivalent to, given s1 208(1), k1 204(1), s2 208(2), k2 204(2), . . . , sj, kj, and sj+1, finding kj+1 such that sj+1=kj+1R mod p. One approach to solving this problem is to find R 402 from, for example, sj=kjR mod p and then compute kj+1=sj+11/R(p−1)mod p. But this is equivalent to solving the discrete logarithm problem, and is therefore not feasible. The second approach is to express sj+1 in terms of multiplication or division of s1, s2, . . . , sj. Then kj+1 can be found from a corresponding expression in terms of k1, k2, . . . , kj. However, since k1, k2, . . . , kj and kj+1 are all independently and randomly chosen, finding the relationship between the sj's is also not computationally feasible.
Finally, digital objects 202 are encrypted with a symmetric key cryptosystem and the encryption keys 204 are protected using large exponentiations. To recover the digital objects 202 from the ciphertexts 206, an eavesdropper must be able to break the symmetric key cryptosystem or solve the discrete logarithm problem. Both are computationally infeasible for well-designed ciphers and exponentiations with large prime modulus.
The above description is included to illustrate the operation of the preferred embodiments and is not meant to limit the scope of the invention. The scope of the invention is to be limited only by the following claims. From the above discussion, many variations will be apparent to one skilled in the art that would yet be encompassed by the spirit and scope of the present invention.
Feng, Bao, Huijie, Robert Deng, Peirong, Feng
Patent | Priority | Assignee | Title |
Patent | Priority | Assignee | Title |
5029207, | Feb 01 1990 | Cisco Technology, Inc | External security module for a television signal decoder |
5481613, | Apr 15 1994 | ENTRUST TECHNOLOGIES LTD | Computer network cryptographic key distribution system |
5604801, | Feb 03 1995 | IBM Corporation | Public key data communications system under control of a portable security device |
5724425, | Jun 10 1994 | Sun Microsystems, Inc | Method and apparatus for enhancing software security and distributing software |
5855018, | Oct 18 1996 | Yeda Research and Development Co. Ltd. | Private information retrieval |
6167392, | Oct 09 1997 | TELCORDIA TECHNOLOGIES, INC , A CORP OF DELAWARE | Method and apparatus for private information retrieval from a single electronic storage device |
6336121, | Mar 24 1998 | Entrust Technologies, Ltd. | Method and apparatus for securing and accessing data elements within a database |
6687822, | Jun 11 1999 | WSOU Investments, LLC | Method and system for providing translation certificates |
6711553, | Feb 25 2000 | Kent Ridge Digital Labs | Method and apparatus for digital content copy protection |
6845447, | Nov 11 1998 | Nippon Telegraph and Telephone Corporation | Electronic voting method and system and recording medium having recorded thereon a program for implementing the method |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Apr 13 2001 | Agency for Science, Technology and Research (A*STAR) | (assignment on the face of the patent) | ||||
Oct 05 2001 | FENG, BAO | Kent Ridge Digital Labs | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 012291 | 0395 | |
Oct 08 2001 | PEIRONG, FENG | Kent Ridge Digital Labs | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 012291 | 0395 | |
Oct 10 2001 | HUIJIE, ROBERT DENG | Kent Ridge Digital Labs | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 012291 | 0395 | |
Mar 28 2002 | Kent Ridge Digital Labs | Laboratories for Information Technology | CHANGE OF NAME SEE DOCUMENT FOR DETAILS | 019520 | 0409 | |
Jul 11 2002 | LABORATORIES FOR INFORMATION TECHNOLOGY INCORPORATED | INSTITUTE FOR INFOCOMM RESEARCH | CHANGE OF NAME SEE DOCUMENT FOR DETAILS | 019520 | 0411 | |
Apr 27 2007 | INSTITUTE FOR INFOCOMM RESEARCH I2R | AGENCY FOR SCIENCE, TECHNOLOGY AND RESEARCH A*STAR | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 019261 | 0222 |
Date | Maintenance Fee Events |
Jan 17 2011 | REM: Maintenance Fee Reminder Mailed. |
Jun 12 2011 | EXP: Patent Expired for Failure to Pay Maintenance Fees. |
Date | Maintenance Schedule |
Jun 12 2010 | 4 years fee payment window open |
Dec 12 2010 | 6 months grace period start (w surcharge) |
Jun 12 2011 | patent expiry (for year 4) |
Jun 12 2013 | 2 years to revive unintentionally abandoned end. (for year 4) |
Jun 12 2014 | 8 years fee payment window open |
Dec 12 2014 | 6 months grace period start (w surcharge) |
Jun 12 2015 | patent expiry (for year 8) |
Jun 12 2017 | 2 years to revive unintentionally abandoned end. (for year 8) |
Jun 12 2018 | 12 years fee payment window open |
Dec 12 2018 | 6 months grace period start (w surcharge) |
Jun 12 2019 | patent expiry (for year 12) |
Jun 12 2021 | 2 years to revive unintentionally abandoned end. (for year 12) |